ATT&CK tactics and techniques can be used as a set of standard terms to describe the exploitation process of a vulnerability. For example, to exploit a vulnerability where credentials are sent in clear text, the following steps could be used:
Once the attacker has access to the valid account, there are too many possible paths to list them all.
When developing this mapping methodology, we found that three steps of an associated attack were as many as could be reasonably described. We define these steps in the following way:
Using these three components, a vulnerability impact description template can be developed:
The vulnerability allows the attacker to use [EXPLOITATION TECHNIQUE] to gain [Primary Impact], which leads to [Secondary Impact].
It may not be possible to identify an ATT&CK technique for each step of an attack. ATT&CK techniques may be written at a level of abstraction that does not match that of the vulnerability. Also, ATT&CK techniques are based on real-world attacks and not theoretical concepts. For example, the primary impact of a vulnerability may be too low-level to include an ATT&CK technique. In which case, you can use the secondary impact in place of the primary or use one of the tactic-level techniques. Mappings with just one or two components can still be useful.
This mapping methodology establishes a starting point for connecting threat actor behavior to the potential exploitation and impact of vulnerabilities. The methodology does not cover all the ways that systems are exploited.
We defined three methods to map ATT&CK techniques to vulnerabilities:
Only the vulnerability type method has mappings for all three categories. The functionality method has mappings for primary and secondary impacts. The exploit techniques method only has mappings for the exploitation technique categories.
Vulnerability Type Method
Vulnerabilities that have the same type often also have the same attack steps. This method maps ATT&CK techniques to some of the more common vulnerability types. CWE-699 (Software Development) and CWE-1000 (Research Concepts) were used to select the vulnerability types, though the method sometimes creates its own high-level categories for the sake of brevity.
The vulnerability type mappings can include the following technique categories:
If one of these categories is not included in the mapping for a particular vulnerability type, use one of the other methods to find the appropriate techniques.
Functionality Method
For a vulnerability to be useful, it needs to provide the adversary with a capability they did not have before. Adversaries are often trying to gain access to the same functionality and thus, many vulnerabilities can be grouped by functionality.
This method includes the following technique categories:
To find the exploitation technique for a vulnerability, use one of the other two mapping methods in this document.
Exploit Technique Method
This method groups techniques by the common steps taken to exploit a vulnerability. Use this method when a vulnerability type has too many possible exploitation scenarios to list in the Vulnerability Type method.
This method includes the following technique categories:
To find the exploit technique for a vulnerability, use one of the other two mapping methods in this document.
In each method there are cases where we have not included a mapping for all available categories (Exploitation Technique, Primary Impact, Secondary Impact). Technique mappings are only included for a category when it is likely that different vulnerabilities in the group share that technique. For example, vulnerabilities that modify memory (e.g., buffer overflows) share a common primary impact, but the secondary impacts and exploitation techniques are so varied that the methodology does not include a mapping for those categories.
Some groupings will have more than one technique listed for a mapping category because there are common variations within that grouping. In these cases, select only the techniques that apply to the vulnerability. For example, the cross-site scripting (XSS) vulnerability type includes an option of T1189 Drive-by Compromise or T1204.001 User Execution: Malicious Link depending on whether the attacked is stored or not.
This methodology establishes a starting point for vulnerability reporters and researchers to standardize the way they describe some vulnerability data. The methodology does not cover all the ways that systems are exploited.
Example: CVE-2018-17900
Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, The web application improperly protects credentials which could allow an attacker to obtain credentials for remote access to controllers.
To find the appropriate ATT&CK techniques, start by identifying the vulnerability type. For CVE-2018-17900, the vulnerability is a credential management issue. Looking through the list of vulnerability types in the methodology, the "General Credential Management Errors" vulnerability type appears to be the most appropriate. Using one of the lower-level credential management vulnerability types is preferable but the CVE record does not provide the level of detail need to do so.
The ”General Credential Management Errors” vulnerability type maps to T1552 Unsecured Credentials for the primary impact and T1078 Valid Accounts for the secondary impact. These mappings follow the description in the CVE record: “improperly protects credentials which could allow an attacker to obtain credentials” matches T1552 and “for remote access to controllers” matches T1078.
The ”General Credential Management Errors” vulnerability type does not have a mapping for the exploitation technique because there are too many ways general credential management vulnerabilities can be exploited. To find the exploitation technique for CVE-2018-17900, use the Exploit Technique section. The Exploit Technique section documents a set of scenarios to help the user determine which exploitation technique(s) are appropriate for the vulnerability. For CVE-2018-17900, the entry point is the web application so the “Attacker exploits remote system application” scenario applies, which makes T1190 Exploit Public-Facing Application the exploitation technique for the vulnerability.
The description for CVE-2018-17900 can now be re-written using the ATT&CK standard.
Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, have Unsecured Credentials which could allow an attacker to gain access to Valid Accounts by Exploiting the Public-Facing Application.
The vulnerability type section contains mappings for many of the common vulnerability types. Mappings for vulnerability types are only included if that type has a common set of techniques used to exploit the vulnerability or that can be executed when the vulnerability is exploited. Each vulnerability type will include one or more of the following where applicable, a primary and secondary impact and one or more exploitation techniques. This table establishes a starting point for describing vulnerability data and does not cover all vulnerability types or all the ways that systems are exploited.
| Vulnerability Type | Exploitation Technique | Primary Impact | Secondary Impact | Notes |
|---|---|---|---|---|
| Authentication Bypass by Capture-replay | T1040 Network Sniffing | T1190 Exploit Public-Facing Application | N/A | |
| Cleartext Transmission of Sensitive Information | T1040 Network Sniffing | T1552 Unsecured Credentials | T1078 Valid Accounts | A sub-technique can be chosen where applicable. |
| Code Injection | N/A | T1059 Command and Scripting Interpreter | N/A | A sub-technique can be used depending on the type of injection. |
| Cross-site Request Forgery (CSRF) | T1204.001 User Execution: Malicious Link | T1068 Exploitation for Privilege Escalation | Depends on the functionality the vulnerability gives access to. See the Functionality Section for guidance on which techniques are appropriate. | |
| Cross-site Scripting (XSS) |
|
T1059.007 Command and Scripting Interpreter: JavaScript | T1185 Browser Session Hijacking | There are lots of possible secondary impacts but most of them can be summed up by Browser Session Hijacking. |
| Deserialization of Untrusted Data | N/A | T1059 Command and Scripting Interpreter | N/A | |
| Directory Traversal (Relative and Absolute) | T1202 Indirect Command Execution | See the Functionality Section File Processing | See the Functionality Section File Processing | Indirect command execution is used here because the vulnerable application is being used to as a proxy to execute the file handling commands. |
| General Credential Management Errors | N/A | T1552 Unsecured Credentials | T1078 Valid Accounts | A sub-technique can be chosen where applicable. |
| General Cryptographic Issues | T1110 Brute Force |
|
N/A | |
| General Improper Access Control | N/A | See the Functionality Section | See the Functionality Section | The impacts of authentication, authorization, and permissions errors generally depend on the functionality missing the authentication, authorization or permission. |
| Hard-coded Credentials | N/A | T1078.001 Default Accounts | N/A | |
| Improper Restriction of Excessive Authentication Attempts | T1110.001 Brute Force: Password Guessing | T1078 Valid Accounts | N/A | |
| Infinite Loop | N/A | T1499.004 Endpoint Denial of Service: Application or System Exploitation | N/A | |
| OS Command Injection | T1133 External Remote Service | T1059 Command and Scripting Interpreter | N/A | Primary depends on the OS being attacked but is often T1059.004. |
| Overly Restrictive Account Lockout Mechanism | T1110 Brute Force |
|
N/A | |
| Server-Side Request Forgery (SSRF) | T1133 External Remote Service | T1090 Proxy | T1135 Network Share Discovery, T1005 Data from Local System | Tactic/Technique mismatch for the primary impact. |
| Session Fixation | N/A | T1563 Remote Service Session Hijacking | N/A | Often can be used for Initial Access. |
| SQL Injection | N/A | T1059 Command and Scripting Interpreter | T1005 Data from Local System, T1505.003 Server Software Component: Web Shell, T1136 Create Account, T1190 Exploit Public-Facing Application, T1565.001 Data Manipulation: Stored Data Manipulation | There currently is not a sub-technique for SQL commands. Not all possible secondary impacts are listed and not all secondary impacts will always apply. |
| Symlink Attacks | T1202 Indirect Command Execution | See the Functionality Section File Processing | See the Functionality Section File Processing | Indirect command execution is used here because the vulnerable application is being used to as a proxy to execute the file handling commands. |
| Uncontrolled Resource Consumption | N/A | T1499 Endpoint Denial of Service | N/A | A sub-technique may be chosen depending on the type of resource being consumed |
| Unrestricted File Upload | N/A | T1505.003 Server Software Component: Web Shell | T1059 Command and Scripting Interpreter | |
| Untrusted/Uncontrolled/Unquoted Search Path | N/A | T1574 Hijack Execution Flow | N/A | A sub-technique can be chosen where appropriate. |
| URL Redirection to Untrusted Site ('Open Redirect') | T1566.002 Phishing: Spearphishing Link | N/A | T1036 Masquerading | |
| Use of Password Hash Instead of Password for Authentication | N/A | T1550.002 Use Alternate Authentication Material: Pass the Hash | N/A | |
| Weak Password/Hashing | T1110 Brute Force | N/A | T1078 Valid Accounts | |
| XML Entity Expansion (XEE) | N/A | T1499.004 Endpoint Denial of Service: Application or System Exploitation) | N/A | |
| XML External Entity (XXE) | N/A | T1059 Command and Scripting Interpreter. | T1005 Data from Local System, T1046 Network Service Discovery |
The functionality section provides ATT&CK technique mappings based on common functions to which an adversary may be trying to gain access. Functionality represents the benefit the adversary can gain through exploitation of the vulnerability and what the adversary can do by gaining that benefit. As such, each functionality type will include primary and secondary impacts as applicable. This table provides some basic capabilities an adversary can try to gain. It does not cover all functionality types or all possible impacts.
| Functionality | Primary Impact | Secondary Impact | Notes |
|---|---|---|---|
| Change ownership or permissions | T1222 File and Directory Permissions Modification | N/A | |
| Create Account | T1136 Create Account | T1078 Valid Accounts | |
| Create/Upload file | T1505.003 Server Software Component: Web Shell | T1059 Command and Scripting Interpreter | The techniques mapped here are the ones most used when reporting vulnerabilities that create or upload files. There are likely other techniques that could apply. |
| Delete files | T1485 Data Destruction | T1499.004 Endpoint Denial of Service: Application or System Exploitation | |
| Disable protections | T1562 Impair Defenses | N/A | |
| Memory Modification (Memory Buffer Errors, Pointer Issues, Type Errors, etc.) | T1574 Hijack Execution Flow, T1499.004 Endpoint Denial of Service: Application or System Exploitation | N/A | "Hijack Execution Flow" is used here because exploitation for memory modification usually involves changing the execution flow of a process to execute the adversary's code. |
| Memory Read (Memory Buffer Errors, Pointer Issues, Type Errors, etc.) | T1005 Data from Local System, T1499.004 Endpoint Denial of Service: Application or System Exploitation | T1211 Exploitation for Defense Evasion, T1212 Exploitation for Credential Access | May need a sub-technique. |
| Modify Configuration | T1632 Subvert Trust Controls | N/A | |
| Obtain sensitive information: Credentials | T1552 Unsecured Credentials | N/A | |
| Obtain sensitive information: Other data | T1005 Data from Local System | N/A | |
| Password Reset | T1098 Account Manipulation | N/A | |
| Read files | T1005 Data from Local System | T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow, T1552.001 Unsecured Credentials: Credentials in Files | The list of secondary impacts covers common techniques included in proof-of-concepts but is not exhaustive. |
| Read from Memory | T1005 Data from Local System | N/A | |
| Restart/Reboot | T1529 System Shutdown/Reboot | N/A | |
| Write to existing file | T1565.001 Data Manipulation: Stored Data Manipulation | T1059 Command and Scripting Interpreter, T1574 Hijack Execution Flow, T1554 Compromise Client Software Binary | The list of secondary impacts covers common techniques included in proof-of-concepts but is not exhaustive. |
This section provides common mappings for exploit techniques to ATT&CK techniques. Use this list together with the vulnerability type mappings section to determine the appropriate exploitation technique when not specified in the vulnerability type mappings. This list can also be used independently to determine the appropriate exploitation technique. This can be used as a starting point for identifying exploit techniques. It does not cover all the ways that systems are exploited.
As shown in the previous section, some common vulnerability types can be exploited in many different ways. In this section, we show how it may be possible to map an exploit method of a vulnerability to an ATT&CK technique based on the associated vulnerable object (e.g., browser) and entry point of the potential compromise (e.g., user action). First, note the following:
Start by asking, "what steps are necessary to exploit this vulnerability?"
Exploit methods based on vulnerable object and entry point are given below. Example impacts (not the only option) are also listed to illustrate the difference between exploiting a vulnerability and compromising a user/machine.
| Vulnerable Object | Entry Point | Exploit Method | Example Impact |
|---|---|---|---|
| internet-facing host/system (webserver, website, database, service) | internet | T1190 (Exploit Public-Facing Application) | T1211 (Exploitation for Defense Evasion) |
| network-based application | network, commandline | T1140 (Network Sniffing); T1059 (Command and Scripting Interpreter) | T1574 (Hijack Execution Flow) |
| client application (browser, office app) | remote system | T1203 (Exploitation for Client Execution) | T1574 (Hijack Execution Flow) |
| browser | user action:visit website | T1189 (Drive-by Compromise) | |
| external remote service (vpn, service, software) | external remote service | T1133 (External Remote Service) | |
| internal remote service (smb, netlogon, print spooler) | internal remote service | T1210 (Exploitation of Remote Services) | |
| endpoint security solution; mail server | user action:execute file (email/non-enterprise service) | T1204.002 (User Execution: Malicious File) | |
| endpoint security solution; mail server | user action:click link (email/non-enterprise service) | T1204.001 (User Execution: Malicious Link) | |
| endpoint security solution | user action:click link (non-enterprise service) | T1566.003 (Phishing: Spearphishing via Service) | |
| endpoint security solution; mail server | user action:execute file | T1566.001 (Phishing: Spearphishing Attachment) | |
| os; firmware | user action:insert media | T1091 (Replication Through Removeable Media) | |
| os | network | T1574 (Hijack Execution Flow) |
When the three methods above (Vulnerability Type, Functionality, and Exploit Technique) don't support mapping the exploit type or impacts of a vulnerability, consider focusing at a higher level in ATT&CK. For many tactics within ATT&CK, there is a generic exploitation technique. When mapping techniques to vulnerabilities, exploitation can be assumed so these techniques are not as useful in this context than for other uses of ATT&CK. In this document, where possible, a more specific technique is used over the generic exploitation techniques.
| Tactic | Generic Exploitation Technique |
|---|---|
| Initial Access | 1190 Exploit Public-Facing Application |
| Execution | 1203 Exploitation of Client Execution |
| Privilege Escalation | 1068 Exploitation for Privilege Escalation |
| Defense Evasion | 1211 Exploitation for Defense Evasion |
| Credential Access | 1212 Exploitation for Credential Access |
| Lateral Movement | 1210 Exploitation of Remote Services |
CVE-2020-6960 is a SQL injection vulnerability. The SQL injection listing the Vulnerability Type section contains mappings for the Primary Impact and Secondary Impact. For the Primary Impact, the mapping is T1059 Command and Scripting Interpreter. For the Secondary Impact, there are several options to choose from. Unfortunately, the CVE record does not provide enough information to choose a Secondary Impact.
CVE-2018-17900 is about insecure credential handling. The in "General Credential Management Errors" vulnerability type applies for this vulnerability. In this case, both mappings in the methodology apply. The Primary Impact is T1552 Unsecured Credentials, when then leads to the Secondary Impact allowing the adversary to use T1078 Valid Accounts.
CVE-2020-11036 is a cross-site scripting (XSS) vulnerability. For XSS vulnerabilities, there are standard Primary Impact and Secondary Impact mappings (T1059.007 and T1185 respectively). However, the Exploitation Technique depends on what type of XSS vulnerability it is. Since CVE-2020-11036 is a stored XSS vulnerability, the mapping should be T1189 Drive-by Compromise, as the attack is stored in the web page and the victims are attacked by visiting the infected web page.
CVE-2020-5210 is a buffer overflow. Since buffer overflows modify the memory, the "Memory Modification (Memory Buffer Errors, Pointer Issues, Type Errors, etc.)" vulnerability type is used, making the Primary Impacts T1574 Hijack Execution Flow and T1499.004 Endpoint Denial of Service: Application or System Exploitation. The vulnerability also has an exploitation technique mapping of T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid. The methodology does not list T1548.001 as an exploitation technique because it is relatively rare.
Some common vulnerability types can be exploited in a variety of ways. In this section, we show how an exploit method can be mapped to an ATT&CK technique based on the type of the object that is affected - software, hardware, firmware, product, application, or code - what CVE refers to as “affected code bases.” Note the following:
Exploit methods based on affected object type are given below. Where applicable, example impacts are given to illustrate the difference between exploiting the vulnerability and compromising the user/machine. Unless another source is cited, notes are based on ATT&CK technique descriptions.
| Affected Object | Exploit Method | Example Impact | Notes |
|---|---|---|---|
Internet-facing Host/System (e.g., webserver, website, database, service) |
T1190 (Exploit Public-Facing Application); T1211 (Exploitation for Defense Evasion) |
Adversaries may attempt to exploit a weakness in an Internet-facing host or system, which may be a software bug, temporary glitch, or misconfiguration. Depending on the flaw being exploited, this may also involve Exploitation for Defense Evasion. |
|
Client Application (e.g., browser, office app) |
T1203 (Exploitation for Client Execution) |
T1574 (Hijack Execution Flow) |
Adversaries may exploit software vulnerabilities in client applications to execute code. For example, an application that fails to properly handle objects in memory may allow an attackeradversary to run arbitrary code in the context of the current user. |
T1204.001 (User Execution: Malicious Link) |
T1203 (Exploitation for Client Execution) |
A user clicking a link may lead to other execution techniques such as exploitation of a browser or application vulnerability via Exploitation for Client Execution. |
|
T1204.002 (User Execution: Malicious File) |
T1203 (Exploitation for Client Execution) |
Malware may be written to compromise a vulnerable client application (the malware is executed by a user). |
|
T1189 (Drive-by Compromise) |
Vulnerable web browsers are targets of drive-by compromises. |
||
Endpoint Security Solution (e.g., host-based firewall, AV software) |
T1204.002 (User Execution: Malicious File); T1204.001 (User Execution: Malicious Link); T1566.001 (Phishing: Spearphishing Attachment); T1566.002 (Phishing: Spearphishing Link);T1566.003 (Phishing: Spearphishing via Service) |
T1203 (Exploitation for Client Execution) |
Vulnerable endpoint security solutions may enable users to execute malicious files (received as email attachments or via malicious links). |
Network-based Application |
T1040 (Network Sniffing); T1059 (Command and Scripting Interpreter) |
T1574 (Hijack Execution Flow) |
Adversaries may sniff network traffic to capture insecure/unencrypted credentials. Adversaries may also execute commands and compromise an application through an interactive terminal or shell. |
Operating System (e.g., kernel, shell) |
T1574 (Hijack Execution Flow) |
T1499.004 (Endpoint Denial of Service: Application or System Exploitation) |
Vulnerabilities in the kernel, such as a race condition, can be exploited to elevate privilege or crash the system (DoS). |
T1091 (Replication Through Removeable Media) |
An operating system vulnerability may allow code execution from removeable media (even without Autorun enabled). |
||
Internal Remote Service (e.g,. smb, netlogon, print spooler) |
T1210 (Exploitation of Remote Services) |
TA0008 (Lateral Movement); T1068 (Exploitation for Privilege Escalation) |
Once inside a network, adversaries may exploit remote services to gain unauthorized access to other internal systems. |
External Remote Service (e.g., vpn, service, software) |
Adversaries may leverage external-facing remote services to initially access and/or persist within a network. |
In this section, we summarize several of the points made above.